Data-driven technologies have significant potential to improve health and social care. Sensory technology could monitor and assist independent living, patient/service user-facing apps could help to manage a range of health conditions, health and care professionals could use data-driven digital tools in diagnosis and treatment. IT systems such as electronic health and care records might incorporate data-driven software which enables more efficient delivery of care.

These technologies are powered by information. Understanding the complex legal and policy frameworks governing the processing of health and care information is an important part of realising the potential of data-driven technologies.

1.1 Audience

This guidance is written for people (primarily those working within NHS and social care organisations, but also innovators) who are developing, deploying, or monitoring data-driven technologies in health and social care in England, whether alone or in partnership with another organisation.

1.2 The purpose of this guidance

This guidance sets out the legal requirements relating to the use of health and care information in the development, deployment, and post-deployment monitoring (also known as service evaluation and post-market surveillance) of data-driven technologies. It also summarises when it is necessary to obtain research approval – such as approval that may be needed before you are able to access data for product development - from the Health Research Authority, and when you will need to follow guidance issued by the Medicines and Healthcare Products Regulatory Agency.

1.3 Structure

Section 2 of the guidance sets out the types of health and care information that might be used in developing, deploying, and monitoring data-driven technologies and the legal frameworks that apply to those types of information. Section 3 is structured around four phases:

In relation to each phase, the guidance draws on Sections 2 and 4 to set out the regulatory requirements and applicable approvals at each stage. The reader can access the requirements across the four phases or focus on a part that is relevant.

Section 4 provides a checklist of the standards, codes and approvals related to data-driven technologies.

There is also a Definitions section at the end of this guidance. Where a term is highlighted in blue it has been defined in the Definitions section. Use your browsers back button to return to the page you were on after reading the definition.

Back to legal requirements for using health and care data